Computer Theft Exposes Personal, Health Data of 654K Oregon Patients

A laptop owned by the transportation vendor of Health Share of Oregon was stolen, exposing the personal and health data of 654,000 patients.

Health Share of Oregon, the state’s largest Medicaid coordinated care organization is notifying 654,000 patients that their personal and health data has been exposed after a laptop was stolen from its transportation vendor, GridWorks.

GridWorks is a contracted non-emergent medical transportation vendor for Health Share.

On November 18, a break-in and theft occurred at the vendor’s office. The laptop contained member names, contact information, dates of birth, and Medicaid ID numbers. Personal health histories were not stored on the laptop.

The notification does not explain whether the data was encrypted or the security mechanism used by the device to protect personal data.

It’s currently unclear who stole the laptop, or whether the data stored on the device was found, accessed, or used. As a result, Health Share is providing impacted patients with a year of free credit and identity monitoring and restoration services.

Health Share is currently expanding its annual audits with its contractors, improving workforce training, and “ensuring that all transmission of patient information is kept to the minimum necessary to perform required duties.”

"Though the theft took place at an external vendor, we take our members' privacy and security very seriously,” Maggie Bennington-Davis, MD, interim Health Share CEO, chief medical officer, said in a statement. “We are ensuring that members, partners, regulators, and the community are made fully aware of this issue.”

This is the second major data breach stemming from a laptop theft in the last few months. According to the Office for Civil Rights, Truman Medical Center reported the theft of a laptop on December 5, 2019 that impacted 114,466 patients.

The breach notification explained that an employee’s work laptop was stolen from their car. A review completed in October determined the device contained names, dates of birth, medical record or patient account numbers, Social Security numbers, health insurance data, and or limited treatment or clinical data.

Similar to the Health Share notice, the notification did not explain if the data was encrypted or how the laptop was secured.

The notifications should serve as a reminder that HHS requires covered entities to have an asset management plan, which includes a log of devices, users, and the security measures implement to protect the device.

HIPAA calls encryption an addressable issue rather than a requirement. However, if a covered entity opts not to encrypt data on devices that leave the on-site facility, it must demonstrate that it has privacy and security measures in place to benefit its workflow.

“[HIPAA] permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity,” according to HHS. “If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.”

But it’s also important to note that OCR has settled with providers that have failed to encrypt data. For example, Children’s Medical Center of Dallas settled with OCR for $3.2 million in 2017, after the loss of an unencrypted, non-password protected device was reported lost.

The device contained the data of 3,800 patients. And almost three years later, Children’s Medical reported the theft of another unencrypted device that contained the data of 2,462 patients. OCR deemed that the provider failed to “deploy encryption or an equivalent alternative measure on all of its laptops, workstations, mobile devices and removable storage media.”

Dig Deeper on Healthcare data breaches